search

aspect-build / rules_js

High-performance Bazel rules for running Node.js tools and building JavaScript projects
https://docs.aspect.build/rules/aspect_rules_js
Apache License 2.0
310 stars 107 forks source link

[Bug]: `origRealpath` in fs patch is not the original `fs.realpath` #1898

Open fa93hws opened 3 months ago

fa93hws commented 3 months ago

What happened?

In the fs patch, it's assumed that methods in fs is independent, so original fs methods before patched are still accessible:

const origReadlink = fs.readlink.bind(fs);
const origRealpath = fs.realpath.bind(fs);

However that's not the case, and it can be easily reproduced via running the following code snippet:

const fs = require('fs');
fs.readlink = () => {
  throw new Error('123');
}
fs.realpath('<some smybolic link>', (err, out) => {
});

which throws an error:

> Uncaught Error: 123
    at fs.readlink (REPL19:1:29)
    at node:fs:2908:10
>

That indicates that the behaviour of origRealpath has been changed as soon as readlink got patched! And it can lead to sandbox escape from here. In my case, origRealpath returns something in the bazel out directory which is again a symlink, and origReadlink later resolves it to something in my source directory.

Version

Only nodejs version matters:

Node.js v20.12.2

How to reproduce

No response

Any other information?

No response